From ca4282102b8aecbd9658e216bad50c5cb42eb232 Mon Sep 17 00:00:00 2001
From: Dave Sugar <dsugar@tresys.com>
Date: Thu, 13 Feb 2020 12:33:44 -0500
Subject: [PATCH] Add interface to read/write /dev/ipmi

/dev/ipmi is labeled, but no interfaces exist to grant access to the device.
Adding interface for read/write access, I'm not sure of read-only access is usefull. ipmitool seems to only read and write
type=AVC msg=audit(1581618155.319:786): avc:  denied  { read write } for pid=4498 comm="ipmitool" name="ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.319:786): avc:  denied  { open } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.320:787): avc:  denied  { ioctl } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 ioctlcmd=6910 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f525cf2a3..16f0ffa34 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2187,6 +2187,24 @@ interface(`dev_manage_input_dev',`
 	manage_chr_files_pattern($1, device_t, event_device_t)
 ')
 
+########################################
+## <summary>
+##	Read and write ipmi devices (/dev/ipmi*).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ipmi_dev',`
+	gen_require(`
+		type device_t, ipmi_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ipmi_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the framebuffer device node.